Many Devices Will Never Be Patched to Fix Heartbleed Bug

Why It Matters

Network-connected hardware can provide a backdoor into corporate or home networks, where valuable information is shared freely.

A security bug uncovered this week affects an estimated two-thirds of websites and has Internet users scrambling to understand the problem and update their online passwords. But many systems vulnerable to the flaw are out of public view and are unlikely to get fixed.

OpenSSL, in which the bug, known as Heartbleed, was found, is widely used in software that connects devices in homes, offices, and industrial settings to the Internet. The Heartbleed flaw could live on for years in devices like networking hardware, home automation systems, and even critical industrial-control systems, because they are infrequently updated.

Network-connected devices often run a basic Web server to let an administrator access online control panels. In many cases, these servers are secured using OpenSSL and their software will need updating, says Philip Lieberman, president of security company Lieberman Software. However, this is unlikely to be a priority. “The manufacturers of these devices will not release patches for the vast majority of their devices, and consumers will patch an insignificant number of devices.”

Cable boxes and home Internet routers are just two of the major classes of devices likely to be affected, says Lieberman. “ISPs now have millions of these devices with this bug in them,” he says.

The same issue likely affects many companies, because plenty of enterprise-grade network hardware and industrial and business automation system also rely on OpenSSL, and those devices are also rarely updated. Large-scale scans of Internet addresses have previously uncovered hundreds of thousands of devices, ranging from IT equipment to traffic control systems, that are improperly configured or have not been updated to patch known flaws (see “What Happened When One Man Pinged the Whole Internet”).

“Unlike servers being patched by armies of corporate IT staff, these Internet-enabled devices with vulnerable OpenSSL parts aren’t going to be getting the attention they may need,” says Jonathan Sander, strategy and research officer for STEALTHbits Technologies, which helps companies manage and track data access and leaks. “OpenSSL is like a faulty engine part that’s been used in every make and model of car, golf cart, and scooter.”

It is difficult to estimate how many devices connected to the Internet are susceptible to the Heartbleed bug, but it has been present in OpenSSL for a long time. “Anything that was compiled in a version of OpenSSL between December 2011 and the day before yesterday could be vulnerable,” says Mark Schloesser, a security researcher for the IT security company Rapid7.

Another unknown is what valuable data can be accessed by a Heartbleed attack. Schloesser says that tests so far suggest it varies widely from one system to the next. Yahoo’s servers, for example, leaked user passwords, while others were found to leak little of value.

Not everyone currently trying to figure out which systems do leak important information is a security researcher with good intentions. “There are lots of people trying to use this to do widespread exploitation,” says Schloesser. He points to activity seen in Web server logs since the problem was disclosed showing efforts to find vulnerable systems, and the appearance of scripts that can be used to test for Heartbleed vulnerabilities.

Sander points out that many single-purpose devices—for example, Internet-connected thermostats—don’t contain much valuable information. But he adds that they could spill enough for an attacker to log in and take control, and even small amounts of data could reveal, for example, whether or not someone is at home.